September 25, 2021

Volume XI, Number 268


September 24, 2021

Subscribe to Latest Legal News and Analysis

September 23, 2021

Subscribe to Latest Legal News and Analysis

September 22, 2021

Subscribe to Latest Legal News and Analysis

Friend or Foe? The DOC Issues New Interim Rule on Transactions Involving Information and Communication Technology or Services (“ICTS”) and Foreign Adversaries

On January 19, 2021, the U.S. Department of Commerce (“DOC”) issued an interim final rule governing transactions in Information and Communication Technology or Services (“ICTS”) involving “foreign adversaries.” Although the rule takes effect on March 22, 2021, it allows DOC to review covered transactions initiated, pending, or completed on or after January 19, 2021.

The interim rule grants DOC the authority to regulate certain transactions between U.S. persons and foreign adversaries involving ICTS that pose under or unacceptable risks.[1]

The DOC is accepting public comments on the rule through March 31, 2021.


The rules are designed to implement EO 13873, issued on May 15, 2019, entitled “Securing the Information and Communications Technology and Services Supply Chain.” That EO sought to address concerns that foreign adversaries are exploiting ICTS to economic and industrial espionage and other adverse actions against the U.S.[2] The new rules follow the issuance of a proposed rule on November 26, 2019 (see our prior post here).

ICTS Products

ICTS includes any hardware, software or service (e.g., cloud computing services) that is “primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means,” including by “transmission, storage, or display.” Such products and services include ongoing activities, such as managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications for consumer download.

“Foreign Adversaries”

The interim rule identifies the following as “foreign adversaries”:

  • China (including Hong Kong);

  • Cuba;

  • Iran;

  • North Korea;

  • Russia; and

  • Nicolas Maduro (Maduro Regime)

The list is not exhaustive or final, but can be revised by DOC as necessary.

The scope of prohibited transactions are those between U.S. persons and a “person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary,” which includes:

  • Any person, wherever located, who acts as an agent, representative, employee, or any other capacity at the order, request, direction, or control of a foreign adversary;

  • A person whose activities are directly or indirectly supervised, directed, controlled, financed or subsidized in whole or in majority part by a foreign adversary;

  • Any person, wherever located, who is a citizen or resident of a nation-state controlled by a foreign adversary;

  • Any corporation, partnership, association, or organization organized under the laws of a nation-state controlled by a foreign adversary; or

  • Any corporation, partnership, association, or organization, regardless of where it is organized, that is owned or controlled by a foreign adversary.[3]

Covered ICTS Transactions

The rule covers six main types of ICTS Transactions:

  1. Critical Infrastructure[4]

  2. Network Infrastructure/Satellites[5]

  3. Data Hosting or Computing of Sensitive Personal Data[6]

  4. Certain Surveillance and Monitoring Devices, Networking Devices, and Drones[7]

  5. Certain Communication Software[8]

  6. Emerging Technologies[9]

The rule applies to covered transactions that are initiated, pending, or completed on or after January 19, 2021. Any act or service with respect to a covered transaction, such as execution of any provision of a managed services contract, installation of software updates, or the conducting of repairs, is a transaction on the date that the service, update, or repair is provided, even if it was provided pursuant to a contract entered prior to January 19, 2021.

CFIUS Considerations

The rule does not apply to ICTS transactions that the Committee on Foreign Investment in the United States (“CFIUS”) is actively reviewing, or has reviewed, as a “covered transaction” (i.e., subject to CFIUS’ jurisdiction). However, this exclusion does not preclude a review of a subsequent transactions if distinct from the previously CFIUS-reviewed transaction or if new information is discovered.

Regulatory Review Process for Covered ICTS Transactions

The DOC process for review of ITCS covered transactions includes 6 key steps: referral; initial review of the referral; first interagency consultation; initial determination; second interagency consultation; and final determination.

At the initial determination stage, if the transaction is deemed to pose an undue or unacceptable risk, the DOC will either prohibit the transaction or propose mitigation measures.[10] Within 30 days of notification,[11] a party may respond in writing by:

  • Submitting arguments or evidence that the party believes establishes that insufficient basis exists for the initial determination, including any prohibition of the transaction;

  • Proposing remedial steps on the party’s part, such as corporate reorganization, disgorgement of control of the foreign adversary, engagement of a compliance monitor, or similar steps, which the party believes would negate the basis for the initial determination.

Following consultation with the interagency, the DOC will make a final determination on whether to prohibit the transaction, approve, or approve with conditions. Absent extensions, DOC will issue decisions within 180 days.


DOC will establish procedures for parties to seek a license. License application reviews will not exceed 120 days. If DOC does not issue a license decision within that timeframe, the application will be deemed granted.


  • Companies affected by the interim rule may wish to consider submitting comments before the March 22, 2021 deadline.

  • Companies are encouraged to review their supply chains to ensure that their activities are not be captured under the rule (i.e., that it is not a covered ITCS transaction).


[1] See Securing the Information and Communications Technology and Services Supply Chain, 86 Fed. Reg. 4909 (Jan. 19, 2021).

[2] EO 13873 noted, “foreign adversaries are increasingly creating and exploiting vulnerabilities in [ICTS], which store and communicate vast amounts of sensitive information, facilitate the digital economy, and support critical infrastructure and vital emergency services, in order to commit malicious cyber-enabled actions, including economic and industrial espionage against the United States and its people.”

[3] In making determinations of whether an ITCS Transaction involves ICTS designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary, the DOC will consider: (1) whether the party or its component suppliers have headquarters, research, development, manufacturing, test, distribution, or service facilities or other operations in a foreign country, including one controlled by a foreign adversary; (2) personal and professional ties between the party—including its officers, directors or similar officials, employees, consultants, or contractors—and any foreign adversary; (3) laws and regulations of the foreign adversary in which the party is headquartered or conducts operations, including research and development, manufacturing, packaging, and distribution; and (4) any other criteria that the Secretary deems appropriate.

[4] Designated as critical infrastructure by Presidential Policy Directive 21—Critical Infrastructure Security and Resilience, including any subsectors or subsequently designated sectors.

[5] Software, hardware, or any other product or service integral to wireless local area networks, mobile networks, satellite payloads, satellite operations and control, cable access points, wireline access points, core networking systems, or long- and short-haul systems

[6] The term “sensitive personal data” includes: (1) Personally Identifiable Information (i.e., data that can identify individuals) that is maintained or collected by a U.S. business operating in specific areas, and that is maintained or collected on over one million people over a 12 month period; and (2) results of individual genetic testing.

[7] More than 1 million units of the product must have been sold to U.S. persons in the 12 months prior to the transactions

[8] The products must be designed primarily for connecting with and communicating via the internet that is in use by more than 1 million U.S. persons at any point over the twelve months preceding the Transaction. Some examples include desktop applications; mobile applications; and gaming applications.

[9] “Emerging Technologies” are ICTS integral to artificial intelligence and machine learning, quantum key distribution, quantum computing, drones, autonomous systems, or advanced robotics.

[10] Notification can be accomplished either through publication in the Federal Register or by serving a copy of the initial determination on the parties via US mail, facsimile, and electronic transmission, or third-party commercial carrier, to an addressee’s last known address or by personal delivery.

[11] If the Department receives no response from the parties within 30 days of service, the DOC may determine to issue a final determination without the need to engage in a further consultation process provided for under the rule.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 27

About this Author

J. Scott Maberry, Lawyer, Sheppard Mullin, International Trade, Trade Practice

Mr. Maberry is an International Trade partner in the Government Contracts, Investigations & International Trade Practice Group in the firm's Washington, D.C. office.

Areas of Practice

Mr. Maberry's expertise includes counseling and litigation in export controls, the Foreign Corrupt Practices Act (FCPA), anti-terrorism, economic sanctions, anti-boycott controls, and Customs.  He also represents clients in negotiations and dispute resolution under the World Trade Organization (WTO), North American Free Trade Agreement (NAFTA), and other multilateral and...

Fatema Merchant, international, trade, Lawyer, Sheppard Mullin

Fatema Merchant is an associate in the Government Contracts, Investigations & International Trade Practice Group in the firm's Washington, D.C. office.

Fatema’s practice focuses on investigations and compliance counseling related to international trade laws.  She has extensive experience with U.S. Foreign Corrupt Practices Act and U.S.-Sanctioned Countries investigations, compliance, due diligence, and training.  Fatema also advises clients on compliance with International Traffic in Arms Regulations, Export Administration Regulations, Customs and Anti-Money Laundering...

Mario Andres Torrico Government Investigations Attorney Sheppard Mullin

Mario Torrico is an associate in the Government Contracts, Investigations, and International Trade Practice Group in the firm's Washington, D.C. office.

Mario focuses his practice on compliance counseling, investigations, and cross-border transactional work concerning international trade matters including customs, trade remedies, export controls, economic sanctions and embargoes, the Foreign Corrupt Practices Act (FCPA), and other areas of international trade law.

Prior to entering the private sector, he served as an...